Analysis
-
max time kernel
66s -
max time network
150s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
10-11-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
edd0a52d877489838cc2937f30b0257888a72771430e0d931c91e1847472f516.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
edd0a52d877489838cc2937f30b0257888a72771430e0d931c91e1847472f516.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
edd0a52d877489838cc2937f30b0257888a72771430e0d931c91e1847472f516.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
edd0a52d877489838cc2937f30b0257888a72771430e0d931c91e1847472f516.apk
-
Size
2.2MB
-
MD5
5525349628783c345f3a506d6f762f3f
-
SHA1
f921c000517391932e4aa7c6c281e003f2d8c2ac
-
SHA256
edd0a52d877489838cc2937f30b0257888a72771430e0d931c91e1847472f516
-
SHA512
2166a00e9e0b6fa44d7df38b5474f7cf0ae60fe94b8da9f6dc4935731e84229f7c381f31e661d067e07892cbcf39385f1fef25c91719d4bb16f209b1bf19882c
-
SSDEEP
49152:jNaMSlwqlbLcxCWHvKom475X6EfkZl1GjbTV6ocEe8ZqSbcBtk3X0grbbTWqbvL8:oMSl9bwxNHvEg5X6EfWKTA7EFqSgrWkf
Malware Config
Extracted
cerberus
http://5.161.217.34/
Signatures
-
Cerberus family
-
pid Process 4469 com.film.chapter -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.film.chapter/app_DynamicOptDex/dQ.json 4469 com.film.chapter [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.film.chapter/app_DynamicOptDex/dQ.json] 4469 com.film.chapter [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.film.chapter/app_DynamicOptDex/dQ.json] 4469 com.film.chapter -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.film.chapter Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.film.chapter -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.film.chapter -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.film.chapter android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.film.chapter android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.film.chapter android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.film.chapter -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.film.chapter -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.film.chapter -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.film.chapter -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.film.chapter -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.film.chapter
Processes
-
com.film.chapter1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4469
Network
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.169.14
-
Remote address:1.1.1.1:53Requestssl.google-analytics.comIN AResponsessl.google-analytics.comIN A172.217.169.72
-
Remote address:1.1.1.1:53Requestpngimage.netIN AResponsepngimage.netIN A104.21.33.28pngimage.netIN A172.67.140.187
-
Remote address:1.1.1.1:53Requestfreeiconshop.comIN AResponsefreeiconshop.comIN A195.179.237.77
-
Remote address:104.21.33.28:443RequestGET /wp-content/uploads/2018/06/white-tick-png-8.png HTTP/2.0
host: pngimage.net
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: image/webp,image/apng,image/*,*/*;q=0.8
x-requested-with: com.film.chapter
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9
ResponseHTTP/2.0 522
content-type: text/html; charset=UTF-8
content-length: 7063
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zN3BZlZwvQohOKlHma4MKDjiL%2FGFAm%2F4%2FCWS8ea4Wv3fXO1LbIQHxkKMc4kj9yRctJIg4jPkyy%2FQNKIWOWYpg38fA%2FtLj3dfC31d%2BXnXkoJFZzX1njJnEFmXqwfeXqY%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
x-frame-options: SAMEORIGIN
referrer-policy: same-origin
cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
expires: Thu, 01 Jan 1970 00:00:01 GMT
server: cloudflare
cf-ray: 8e0954f28d9b8877-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=33578&sent=7&recv=10&lost=0&retrans=0&sent_bytes=2852&recv_bytes=1058&delivery_rate=80785&cwnd=253&unsent_bytes=0&cid=7ae62cbfb019f044&ts=19616&x=0"
-
Remote address:195.179.237.77:443RequestGET /wp-content/uploads/edd/android-flat.png HTTP/2.0
host: freeiconshop.com
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: image/webp,image/apng,image/*,*/*;q=0.8
x-requested-with: com.film.chapter
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9
ResponseHTTP/2.0 200
expires: Mon, 10 Nov 2025 22:03:19 GMT
content-type: image/png
last-modified: Mon, 20 Nov 2017 16:17:50 GMT
etag: "262e-5a13002e-2bcbf6f4ea0f20d9;;;"
accept-ranges: bytes
content-length: 9774
date: Sun, 10 Nov 2024 22:03:19 GMT
server: LiteSpeed
platform: hostinger
panel: hpanel
content-security-policy: upgrade-insecure-requests
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
-
Remote address:5.161.217.34:80RequestPOST //gate.php HTTP/1.1
Content-Length: 832
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
Host: 5.161.217.34
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 308 Permanent Redirect
Date: Sun, 10 Nov 2024 22:03:47 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8
-
Remote address:5.161.217.34:80RequestPOST //gate.php HTTP/1.1
Content-Length: 840
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013)
Host: 5.161.217.34
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 308 Permanent Redirect
Date: Sun, 10 Nov 2024 22:04:22 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8
-
Remote address:5.161.217.34:80RequestPOST //gate.php HTTP/1.1
Content-Length: 840
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013)
Host: 5.161.217.34
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 308 Permanent Redirect
Date: Sun, 10 Nov 2024 22:04:32 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8
-
Remote address:5.161.217.34:80RequestPOST //gate.php HTTP/1.1
Content-Length: 840
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013)
Host: 5.161.217.34
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 308 Permanent Redirect
Date: Sun, 10 Nov 2024 22:05:02 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8
-
Remote address:5.161.217.34:80RequestPOST //gate.php HTTP/1.1
Content-Length: 840
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013)
Host: 5.161.217.34
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 308 Permanent Redirect
Date: Sun, 10 Nov 2024 22:05:12 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8
-
Remote address:5.161.217.34:80RequestPOST //gate.php HTTP/1.1
Content-Length: 840
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013)
Host: 5.161.217.34
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 308 Permanent Redirect
Date: Sun, 10 Nov 2024 22:05:22 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8
-
Remote address:5.161.217.34:80RequestPOST //gate.php HTTP/1.1
Content-Length: 840
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013)
Host: 5.161.217.34
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 308 Permanent Redirect
Date: Sun, 10 Nov 2024 22:05:33 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8
-
1.5kB 40 B 1 1
-
1.5kB 40 B 1 1
-
5.6kB 8.7kB 23 23
-
1.3kB 6.2kB 8 8
-
1.9kB 11.6kB 17 15
HTTP Request
GET https://pngimage.net/wp-content/uploads/2018/06/white-tick-png-8.pngHTTP Response
522 -
1.8kB 15.1kB 15 14
HTTP Request
GET https://freeiconshop.com/wp-content/uploads/edd/android-flat.pngHTTP Response
200 -
1.8kB 5.9kB 11 11
-
1.4kB 409 B 6 4
HTTP Request
POST http://5.161.217.34//gate.phpHTTP Response
308 -
436 B 40 B 2 1
-
10.9kB 10.5kB 26 30
-
1.3kB 357 B 4 3
HTTP Request
POST http://5.161.217.34//gate.phpHTTP Response
308 -
1.3kB 357 B 4 3
HTTP Request
POST http://5.161.217.34//gate.phpHTTP Response
308 -
1.3kB 357 B 4 3
HTTP Request
POST http://5.161.217.34//gate.phpHTTP Response
308 -
1.3kB 357 B 4 3
HTTP Request
POST http://5.161.217.34//gate.phpHTTP Response
308 -
1.3kB 357 B 4 3
HTTP Request
POST http://5.161.217.34//gate.phpHTTP Response
308 -
1.3kB 357 B 4 3
HTTP Request
POST http://5.161.217.34//gate.phpHTTP Response
308
-
3.7kB 11
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
172.217.169.14
-
70 B 86 B 1 1
DNS Request
ssl.google-analytics.com
DNS Response
172.217.169.72
-
58 B 90 B 1 1
DNS Request
pngimage.net
DNS Response
104.21.33.28172.67.140.187
-
62 B 78 B 1 1
DNS Request
freeiconshop.com
DNS Response
195.179.237.77
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD54c405a425d5263f6490085bfe1fb6906
SHA10ff79f0859caf8f84b2615d0c4595772e54829e1
SHA256148d01b45d3de9c9aa01045bafd5c72a1608c4449566aea7955592358dfb12f0
SHA5124b82ba1dbfe39d18a9e3719c87c5f076bc68fc7fa07db0caddbaa5abd41ac6628620dfbbe155d25667310ba1a2674c2cad76d4255ab68a7f161c0a0f70072bd2
-
Filesize
53KB
MD57ab72394bb86d1d70c5882a6dcd07357
SHA13a4e06074220cb735df034060b922d6288e399bc
SHA2566491724426a3dfb5a5ccb9745d4d22fda480d725a6104de1bd699cce9dfc661b
SHA51272099ad30a713ca88122567ab696d292559452e525d5d6bc6a2f4a1d416738f9973daf27c7b548620403ea3190f2b2bc5557847e4a7a55429928dfa57376e98f
-
Filesize
160B
MD52508932e5d043772575f9b632e4da319
SHA1f6eec2e2684a264b507301bc958987a0d4fd1100
SHA256cdc776a845ded9e2e4e7fab3a2b6bb32ddb6d8095b126fe8e69d299b1de1816b
SHA512bdf4993ba4843c602d00e453efcf5840760b24c7680bb77c3ea59d1200ce297fc5fdff4d4cd2811b60dd35a99f21c6dce8c866adc6626bb5cf4100d47137dbb5
-
Filesize
103KB
MD58370872f52a44a97444de3c6835e7e14
SHA1ca35fa3e2883466c8b089b16f6a2745d9e335697
SHA2568532c8b0f978411313e05b4ab29eaff23a197781d42155ca6a26268e06df4586
SHA5126ee776db5608d091b6b84db8831590bda010e90e3168cbe3af39743c2e9a62d75f61219f3dac52fe16ed75a919149d07dfbc0861f67dbeaf5f3d2e3201cd3f01